[syslog-ng] syslog-ng 3.0.4 not adjusting for daylight savings time

Balazs Scheidler bazsi at balabit.hu
Tue Mar 23 10:54:50 CET 2010


On Mon, 2010-03-22 at 14:21 -0500, Patrick A. Green wrote:
> 
> Balazs Scheidler wrote:
> > On Mon, 2010-03-22 at 12:01 -0500, Patrick A. Green wrote:
> >   
> >> Balazs Scheidler wrote:
> >>     
> >>> On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
> >>>   
> >>>       
> >>>> On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> >>>>     
> >>>>         
> >>>>> On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
> >>>>>       
> >>>>>           
> >>>>>> I have a red hat 3 system running 3.0.4  It did not successfully
> >>>>>> adjust for daylight savings time.    Everything else on the system is
> >>>>>> fine - syslog is showing the correct time stamps, the system reports
> >>>>>> the correct time.   Restart of syslog-ng, and shutting down both
> >>>>>> syslog and syslog-ng did not help.  I didn't see anything in the lists
> >>>>>> addressing this, here are details of my syslog-ng:
> >>>>>>
> >>>>>> [fabric at netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V
> >>>>>> syslog-ng 3.0.4
> >>>>>> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10
> >>>>>> Compile-Date: Aug 24 2009 16:54:31
> >>>>>> Enable-Threads: off
> >>>>>> Enable-Debug: off
> >>>>>> Enable-GProf: off
> >>>>>> Enable-Memtrace: off
> >>>>>> Enable-Sun-STREAMS: off
> >>>>>> Enable-Sun-Door: off
> >>>>>> Enable-IPv6: on
> >>>>>> Enable-Spoof-Source: off
> >>>>>> Enable-TCP-Wrapper: on
> >>>>>> Enable-SSL: off
> >>>>>> Enable-SQL: off
> >>>>>> Enable-Linux-Caps: on
> >>>>>> Enable-Pcre: off
> >>>>>>
> >>>>>>
> >>>>>>  I didn't see anything in the man page for adjusting for time.  I have
> >>>>>> keep_timestamp(no) configured in my conf file.   The systems sending
> >>>>>> the syslog files time is correctly adjusted for daylight savings.  Is
> >>>>>> this a bug in this particular version, or am I just missing the right
> >>>>>> flag or something?     chris
> >>>>>>         
> >>>>>>             
> >>>>> You state that syslog is showing correct timestamps. Is that syslogd? Or
> >>>>> where do you see the problem?
> >>>>>
> >>>>>       
> >>>>>           
> >>>> Problem is only with syslog-ng.   syslogd is working fine.   
> >>>>     
> >>>>         
> >>> Can you give a more concrete example? Like the timezone you are in, the
> >>> message that gets misinterpreted.
> >>>
> >>> syslog-ng should cope with timezones well. We had a recent related issue
> >>> that it didn't work, but only in the transition window (e.g. for one
> >>> hour until the DST becomes non-DST or vica versa)
> >>>
> >>>
> >>>
> >>>   
> >>>       
> >> I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer.
> >>
> >> Here's an example of the log:
> >>
> >> Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user 
> >> root by ...
> >> Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ...
> >>
> >> Here's the important part of the configuration concerning time:
> >>     
> >
> > and which is the expected time? 11:34 or 10:38?
> >
> >   
> 
> 10:38 should be 11:38.

And any time you restart syslog-ng, it stays the same? The difference
between the two log messages is that one of them gets generated by
syslog-ng, the other is sent by an application. 

Is this the same throughout your log file (e.g. all syslog-ng messages
are off, while normal logs are OK?)

Are these logs received from a remote host, or they are both local?
Could you please give more information about your environment?

I've added your testcase to my unit test collection and it seems to
detect the timezone offset properly:

diff --git a/tests/unit/test_zone.c b/tests/unit/test_zone.c
index 5f9a044..ef9a8ba 100644
--- a/tests/unit/test_zone.c
+++ b/tests/unit/test_zone.c
@@ -158,6 +158,10 @@ main(int argc, char *argv[])
   testcase("NZ", 1111240799, 13*3600);
   /* Mar 20 02:00:00 2005 (NZT) +1200 */
   testcase("NZ", 1111240800, 12*3600);
+  
+  testcase("US/Central", 1269337645, -5*3600);
+  testcase("US/Central", 1266879600, -6*3600);
+
 
   now = time(NULL);
 

Are you sure syslog-ng's local timezone is properly set? Is syslog-ng
running in a chroot? If it is, is the timezone in the chroot properly
set?

-- 
Bazsi




More information about the syslog-ng mailing list